Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
The short answer: internal teams miss what surveyors and prosecutors find
Even high-performing behavioral health treatment centers need external audits because internal staff cannot see the blind spots that state surveyors, HHS-OIG auditors, and payer SIU teams are trained to find. External reviewers catch the documentation gaps, billing patterns, and Environment of Care issues that quietly compound until they surface as a Requirement for Improvement, a payer takeback, or a subpoena.
The federal enforcement data is not subtle. In June 2025, DOJ prosecutors charged 455 defendants in schemes involving more than $6.5 billion in alleged false claims, and behavioral health featured prominently across the docket. Legitimate operators get pulled into scrutiny for boring reasons. A coder used the wrong add-on. A therapist copy-forwarded a progress note. A biller kept submitting 99215 when the encounter was a routine check-in.
A defensible chart, a clean EOC tour, and a payer-ready claim are the output of a compliance program that someone from outside the building checks. Not once a year. On a rhythm.
What surveyors and OIG auditors are actually finding
HHS-OIG audits keep landing on the same category of findings: missing assessments, unsigned notes, treatment plans without required signatures, and undocumented provider credentials. In a January 2026 report on Maine’s Medicaid rehabilitative and community support program, HHS-OIG estimated that Maine made at least $45.6 million in improper fee-for-service Medicaid payments, and every one of the 100 sampled enrollee-months contained a claim line that was improper or potentially improper.
Those are not sophisticated fraud schemes. Those are chart-audit findings any competent external reviewer would have caught in a mock survey.
Accreditors see the same pattern. Consultants at Barrins & Associates, citing The Joint Commission, note that 60% of survey findings come from staff not following the organization’s own rules. Policy on the shelf, practice in the chart, and the gap between them is where a Requirement for Improvement lives. Ligature risks in residential settings, medication reconciliation gaps, incomplete treatment plans, untimely assessments, and missing informed consent show up on Behavioral Health Care Standards Manual surveys over and over. An internal QA nurse who audits her own program will not spot what a surveyor spots. Not because she is not sharp. Because she wrote half the workflows.
Billing integrity: the highest-cost failure mode
In August 2025, a Walnut Creek behavioral medicine provider agreed to pay $2.75 million to resolve False Claims Act allegations tied to psychotherapy add-on codes 90833 and 90836 submitted between January 2015 and December 2022. DOJ alleged the providers either did not perform the add-on service or did not adequately document it. Seven years of billings. One code family.
In May 2026, the North Carolina Attorney General announced a $584,143 settlement with Crossroads Treatment Center of Greensboro to resolve allegations that between 2019 and 2023 the SUD provider submitted urinary drug testing claims without giving physicians the option to order a lower level of testing, resulting in more complex testing than was medically necessary. A managed care organization, Trillium Health Resources, flagged the pattern first. As Attorney General Jeff Jackson put it, “A managed care organization flagged something that was out of pattern.”
Read that sentence twice. A payer’s analytics team caught it before the government did. An external coding and documentation audit finds these patterns before a whistleblower or an MCO does.
Why 'we passed our last survey' is not a compliance program
I have watched founders point to a clean CARF three-year decision and treat it as a shield. It is not. Payer SIU audits, state licensure inspections, and OIG data pulls do not follow the accreditation calendar. The Joint Commission has confirmed that re-surveys are unannounced and can occur any time between 18 and 36 months from the initial survey.
Enforcement analytics have also collapsed the timeline. DOJ’s Health Care Fraud Unit now runs a Data Fusion Center staffed with HHS-OIG, FBI, and financial-intelligence analysts. According to Ballard Spahr’s summary of the 2026 takedown, prosecutors “opened the investigation within five days of the financial intelligence review” on a $67 million Illinois Medicaid behavioral health scheme, where the defendant allegedly billed for 500 or more hours of counseling per day. Data analytics did the math before any human auditor walked in.
Meanwhile, the Eastern District of Virginia charged the co-owner of a mental health company in a $49 million Virginia Medicaid fraud scheme targeting homeless individuals with hotel-stay inducements, and the District of Arizona charged a defendant with $44 million in fraudulent behavioral services claims targeting Native Americans in substance-use treatment. The 2026 takedown ran across 56 federal districts with 50 state Medicaid Fraud Control Units participating, the most in DOJ history.
External audits at Atlantic Health Strategies run on different logic than an internal QA cycle. We enter the building as a surveyor would. We pull a stratified sample of charts across ASAM Criteria 4th Edition levels of care. We tour the EOC as if we had never seen it. We test payer readiness against the actual timely filing windows and utilization management rules in the contract. We compare census patterns to billed encounters. And we tell the CEO what we found, in writing, before someone with subpoena power tells them instead.
What an external audit program actually covers
A serious external audit program for a behavioral health treatment center has five moving parts, and none of them are optional:
- Clinical documentation and chart audit. Human reviewers sampling charts across ASAM Criteria 4th Edition levels of care, testing assessment timeliness, treatment plan signatures, session note quality, discharge planning, and medical necessity.
- Billing and coding audit. CPT and HCPCS validation, add-on code documentation (90833, 90836, 90838), time-based service verification against schedules, and payer-specific rule testing. Drug-testing code selection gets its own pass after the North Carolina Crossroads settlement.
- Mock survey and EOC tour. Ligature risk sweep in residential and withdrawal-management settings, medication storage and reconciliation, emergency preparedness drills, and life-safety inspection currency.
- HIPAA and 42 CFR Part 2 review. Access controls, termination workflows, audit log review, and business associate inventory.
- Payer readiness and UM review. Contract audit against timely filing, prior authorization, and level-of-care criteria; SIU-simulation audit on high-dollar claim families.
Operators in Florida, Texas, Virginia, and Arizona should pay particular attention. Cases highlighted in DOJ’s 2025 takedown announcement, per Fierce Healthcare’s reporting, clustered around Virginia, Arizona, Illinois, and New York schemes involving behavioral health, crisis stabilization, and personal-care services. Nearly half a billion dollars in Medicaid-related false claims and a record 295 defendants charged on Medicaid alone. State Medicaid Fraud Control Units are staffed, funded, and looking.
If no outside team has ever audited your program on a defined rhythm, you do not have a compliance program. You have a hope.
Frequently asked questions
How often should a behavioral health treatment center undergo an external audit?
At minimum, annually for chart, billing, and Environment of Care. High-acuity or multi-site operators should run quarterly billing audits on high-risk code families and a full mock survey 6-9 months before any expected Joint Commission or CARF visit. The Joint Commission has confirmed that re-surveys are unannounced and can occur any time between 18 and 36 months from an initial survey, so a rigid three-year internal cadence leaves you exposed.
What is the difference between an internal QA review and an external audit?
Internal QA staff wrote or trained on the workflows they are reviewing, which creates blind spots. An external audit brings surveyor-side and payer-side methodology into the building: stratified chart sampling, tracer methodology on the EOC, and coding review against the actual payer contract. External auditors also test whether written policy matches actual practice, which is the source of roughly 60% of Joint Commission findings, according to Barrins & Associates.
Which behavioral health billing patterns draw the most federal scrutiny?
Psychotherapy add-on codes 90833 and 90836, tied to the $2.75 million August 2025 California settlement with Comprehensive Psychiatric Services; drug-testing code selection, tied to the $584,143 May 2026 Crossroads Greensboro settlement in North Carolina; and billing volumes that exceed staff capacity, tied to the $67 million Illinois Medicaid behavioral health case flagged by DOJ’s Data Fusion Center. DOJ prosecutors opened that Illinois investigation within five days of the financial intelligence review.
Can an external audit be discoverable in a False Claims Act case?
Audit findings can become discoverable, which is why the audit should be structured with counsel, remediation should be documented and completed, and the workflow should be governed by attorney-client privilege where appropriate. The greater risk is not having an audit trail at all; a former employee filing a qui tam suit will describe what happened without your version on record.
References
- U.S. Department of Justice, National Health Care Fraud Takedown Results in 455 Defendants Charged in Connection with Over $6.5 Billion in Alleged Fraud (June 2025)
- U.S. Attorney’s Office, Northern District of California, California Behavioral Medicine Provider Agrees to Pay $2.75 Million to Resolve Alleged False Claims for Psychotherapy Services (Aug. 20, 2025)
- North Carolina Department of Justice, Attorney General Jeff Jackson Secures $584,000 to Resolve Medicaid Fraud Allegations Against Greensboro Treatment Center (May 2026)
- HHS-OIG, Maine Made at Least $45.6 Million in Improper Fee-for-Service Medicaid Payments for Rehabilitative and Community Support Services (Report A-01-24-00006, Jan. 2026)
- Barrins & Associates, Five Surprising Joint Commission Standards Frequently Scored High-Risk
- Ballard Spahr, DOJ’s Health Care Fraud Takedown Spotlights AI and Data Analytics (July 2026)
- The Joint Commission, Preparing for Your Next Survey for Behavioral Health Accreditation
- Fierce Healthcare, DOJ Announces $6.5B Healthcare Fraud Takedown with Record Medicaid Enforcement (June 2025)